CVE-2021-21607

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.274 and earlier Jenkins LTS versions 2.263.1 and earlier

Description The issue allows attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors. This is due to the lack of limitation on sizes provided as query parameters to graph-rendering URLs. Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Attackers can exploit this by requesting or having legitimate Jenkins users request crafted URLs that rapidly use all available memory.

Recommendations For Jenkins versions 2.274 and earlier, update to version 2.275 or later to limit the maximum size of graphs. For Jenkins LTS versions 2.263.1 and earlier, update to version 2.263.2 or later to limit the maximum size of graphs. As a temporary workaround, consider setting the Java system property hudson.util.Graph.maxArea to a different number on startup to configure the threshold for the maximum size of graphs.